Netstat – Examples used for finding DDOS

This display all active Internet connections to the server and only established connections are included.

netstat -an |grep :80 |sort

Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC |wc -l

This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p |grep SYN_REC |sort -u

List out the all IP addresses involved instead of just count.

netstat -n -p |grep SYN_REC |awk '{print $5}' |awk -F: '{print $1}'

List all the unique IP addresses of the node that are sending SYN_REC connection status.

netstat -ntu |awk '{print $5}' |cut -d: -f1 |sort|uniq -c |sort -n

Use netstat command to calculate and count the number of connections each IP address makes to the server.